asamassekou10/ship-safe-scan
claude-code-plugin/skills/ship-safe-scan/SKILL.md
Quick scan for leaked secrets — API keys, passwords, tokens, database URLs. Use when the user wants to check for hardcoded secrets or exposed credentials.
$ install --global
skillsauthnpx skillsauth add asamassekou10/ship-safe ship-safe-scanInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 8:52 AM8.9s1 file scanned
SKILL.md
- name:
- ship-safe-scan
- description:
- Quick scan for leaked secrets — API keys, passwords, tokens, database URLs. Use when the user wants to check for hardcoded secrets or exposed credentials.
- argument-hint:
- [path]
Ship Safe — Secret Scan
You are scanning this project for leaked secrets using Ship Safe's pattern matching and entropy analysis engine.
Step 1: Run the scan
npx ship-safe@latest scan $ARGUMENTS --json 2>/dev/null
If $ARGUMENTS is empty, default to .:
npx ship-safe@latest scan . --json 2>/dev/null
The command exits 0 if clean, 1 if secrets found. Capture stdout regardless.
Step 2: Parse the JSON output
The JSON output has this structure:
{
"filesScanned": 234,
"totalFindings": 5,
"clean": false,
"findings": [
{
"file": "src/config.js",
"findings": [
{
"line": 42,
"type": "Stripe Live Secret Key",
"severity": "critical",
"description": "Hardcoded Stripe live secret key found",
"matched": "sk_live_****"
}
]
}
]
}
Step 3: Report
If clean: Confirm no secrets were found. Report how many files were scanned. This is good news!
If secrets found:
- List each finding grouped by file:
- File path and line number
- Secret type (e.g., "AWS Access Key", "GitHub Token", "Database URL")
- Severity level
- Never display actual secret values — even partial matches should be referred to by type only
- If multiple secrets are in the same file, group them together
Step 4: Remediate
For each secret found, offer to fix it:
-
Replace the hardcoded secret with an environment variable reference:
- JavaScript/TypeScript:
process.env.VARIABLE_NAME - Python:
os.environ.get('VARIABLE_NAME') - Use a descriptive variable name based on the secret type (e.g.,
STRIPE_SECRET_KEY,DATABASE_URL)
- JavaScript/TypeScript:
-
Create or update
.env.examplewith placeholder values:STRIPE_SECRET_KEY=sk_live_your_key_here DATABASE_URL=postgresql://user:password@host:5432/db -
Ensure
.envis in.gitignore— check and add if missing -
Warn about git history — if the secret was already committed, it exists in git history. Recommend:
- Rotating the credential immediately (mention
npx ship-safe rotate) - Consider using
git filter-branchor BFG Repo Cleaner to remove from history
- Rotating the credential immediately (mention
-
Suggest auto-fix — mention
/ship-safe-fixfor bulk remediation, or/ship-safe-baselineto baseline known findings
Read the file and surrounding context before making any changes. Apply fixes only after presenting the findings, unless the user asked for auto-fix.
Related Skills
asamassekou10/ship-safe
tools
VerifiedTrustedCommunity
Run a full security audit on this project — 16 agents scan for secrets, injections, auth bypass, SSRF, supply chain, Supabase RLS, MCP security, agentic AI, RAG poisoning, PII compliance, and more. Use when the user wants a security audit, vulnerability scan, or asks if their code is safe to ship.
420SKILL.mdUpdated Apr 16, 2026
asamassekou10/ship-safe-score
development
VerifiedTrustedCommunity
Get your project's security health score (0-100, A-F grade). Use when the user wants a quick security check or asks "is my code safe to ship?"
420SKILL.mdUpdated Apr 16, 2026
asamassekou10/ship-safe-red-team
tools
VerifiedTrustedCommunity
Run a multi-agent red team scan — 16 specialized security agents scan for 80+ attack classes including injection, auth bypass, SSRF, supply chain, Supabase RLS, MCP security, agentic AI, RAG poisoning, PII compliance, and more. Use when the user wants a deep security analysis beyond just secrets.
420SKILL.mdUpdated Apr 16, 2026
asamassekou10/ship-safe-hooks
development
VerifiedTrustedCommunity
Install ship-safe as real-time Claude Code hooks — blocks secrets and dangerous commands before they land on disk. Use when the user wants automatic security scanning on every file write or bash command.
420SKILL.mdUpdated Apr 16, 2026